Hi, short: Marcus wants to enable PIE support globally. long version: To make programs less affected by buffer overflows and similar exploits, one feature is "address space layout randomization" aka "ASLR". We randomize various parts of the address space already, stack, mmaps, libraries and the vdso. e.g. for /usr/bin/cat: cat /proc/self/maps 00400000-0040c000 r-xp 00000000 08:01 397387 /usr/bin/cat 0060b000-0060c000 r--p 0000b000 08:01 397387 /usr/bin/cat 0060c000-0060d000 rw-p 0000c000 08:01 397387 /usr/bin/cat binary not randomized. 007d5000-007f6000 rw-p 00000000 00:00 0 [heap] heap not randomized. 7f530a549000-7f530a6ee000 r-xp 00000000 08:01 220 /lib64/libc-2.18.so ... 7f530ab17000-7f530ab18000 rw-p 00020000 08:01 52 /lib64/ld-2.18.so 7f530ab18000-7f530ab19000 rw-p 00000000 00:00 0 7fff71086000-7fff710a7000 rw-p 00000000 00:00 0 [stack] 7fff711fa000-7fff711fc000 r-xp 00000000 00:00 0 [vdso] everything randomized ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] not randomized, but should be safe To randomize the binary and heap the binary needs to be packaged using the PIE options of the compiler. (PIE == Position Independend Executable) This needs to be done during compilation (-fPIE) and during linking (-pie), which makes it harder to implement. Advantages of PIE: - a bit more secure (e.g. the major "codename" issues from 2014 (Heartbleed, Shellshock, Poodle) would not have been avoided...) Disadvantages of PIE: - There had been performance concerns, but these are mostly relevant for i586 due to low number of processor registers (and there like 5-10%). On other platforms but i586 there should be no performance decrease. I adjusted some endangered packages manually, but it would be better to do this globally. Just changing %optflags / RPM_OPT_FLAGS is insufficient as the linker also needs to be called specifically and this cannot be passed in via the configuration. Methods I am currently thinking about: - Change the compiler directly to build PIE binaries by default (change in gcc) Binaries that do not want it, would need to use -no-pie / -fno-PIE Advantage: - only some changes in .spec file where it is not wanted - would work for more than just the spec files using %configure or %cmake macros - Change the %configure RPM macro to pass the PIE flags in by default (change in rpm) Advantage: - only some .spec files need to be changed where it is not wanted Disadvantage: - %configure would need an option to disable PIE for apps that break (- manually changing all RPMs: not feasible) Any comments? I would try to work the gcc approach when I am back to work as time permits :/ Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org